1) Does fencemail.com use any public keyrings, such as pgp.mit.edu? So that if a non-fencemail user publishes their public key somewhere, fencemail will find it?

> Yes, mailfence users can find and import other PGP public keys from public key servers (pgp.mit.edu...) via their integrated key store (into their key-ring) and can also publish their own public keys so that other users can find them as well. For more info. check out this "how-to" guide.

Quote:

Originally Posted by zimmermanfan

1.1) If not, suppose I'm not a fencemail user, but I want to send a message to two fencemail users. Do they each have to add my public key to the keyring, or is it a shared public keyring so that my key only needs to be added once? I don't see a fencemail equivalent of hushtools.com, where outsiders can supply their public keys so that encryption "just works" for fencemail users who correspond with outsiders.

> If you're not a mailfence user - and sending an encrypted email to multiple recipients that uses mailfence. You will need their PGP public keys (via public key server - if they have published it there, or by any other out-of-band means) in order to encrypt your email for them. As recipients (mailfence users), they will need their private key to decrypt an email which you've sent to them - and does not require your public key for that purpose.
Now both of the recipients will have to add your public key in their integrated key stores (individually) to securely reply back to you - this will allow them to verify your public key in a much richer way (matching fingerprint....etc) instead of relying onto a centralized local key-server which not only is insecure but also contradicts with the concept of PGP on philosophical grounds (No centralization/or centralized authority).
Moreover, a fully featured integrated key store also enable our users to perform all the crypto-keys related operations (import/export/modify/revoke/delete...) by themselves and thus transfer the full control of their privacy into their own hands - and that is what our belief duly relies upon.

Quote:

Originally Posted by zimmermanfan

2) If a fencemail user downloads their mail over IMAP, is the payload PGP-encrypted? IOW, do they need to export their private key from fencemail and then import it locally?

> Mailfence is a 'pure' end-to-end encrypted solution (en(de)cryption occurs on the client-side) - therefore all the encrypted content remains encrypted at all times.
When you import encrypted emails via IMAP - you will receive them in as-is manner and will have to export your private key (in your local machine/or any other device) to decrypt them.

Quote:

Originally Posted by zimmermanfan

3) Why does fencemail.com use non-free javascript? Why is it blocked by the LibreJS tool?

> The JavaScript we use is very complex and compressed. LibreJS simply translates 'it's complex' by 'it's suspect' which we find unrealistic. Its analysis is too simple to handle most modern JavaScript frameworks.
FYI: we are planning to release the code of our front-end in a later phase which will further clarify this and other code-level concerns.

Quote:

Originally Posted by zimmermanfan

4) Why is First name and Last name required? Streetwise users don't give their real names, so you immediately put them in a position of making a false statement. It would be more appropriate to make these fields *optional* during registration, and changeable thereafter.

> Those fields allow us to suggest you an email address and provide you a login name. You can always change them once you create your account (in your 'personal data').
Moreover, as per our privacy policy - we never share any sort of data with any third-party, and comply by the Belgian law.